News and Blog

Social engineering fraud - how to protect your commercial client

What is social engineering and how can I help protect my client’s business?

This blogpost originally ran on our Tribal website. It has been modified here for use by Core Commercial BOP and Package producers.

Does your client need to worry about social engineering at their small-to-medium-sized business (SMB)? They do if they use bank accounts and handle sensitive information such as employee records. And that’s pretty much every business that exists.

But we’re a small enterprise, your clients may say. Yes, those hackers from China, Russia and North Korea typically go after bigger corporations, but that doesn’t mean your SMB client is safe. Cyber security leader Symantech’s 2018 Internet Security Threat Report said that there was an equal number of email-borne malware attacks targeting smaller companies and large enterprises. In fact, 43 percent of “spear phishing” attacks in recent years were aimed at small businesses. (Spear phishing tricks the intended victim into providing personal information such as bank accounts that he wouldn’t typically give so easily. Hackers can provide enough personal information about the intended victim to be more believable than the typical wide-spread phishing emails that we’ve all learned to delete.)

So, let’s start with a definition of social engineering and provide some scenarios that occur all-too-often. First thing your client needs to know is that social engineering fraud relies heavily on human interaction, usually tricking people into breaking normal security procedures.

How social engineering manipulates and mimics you

Most of us have learned not to use “Password123” or “010101” as our password. We know to change them a few times a year, and use a combination of letters, symbols and numbers. Consequently, hacking has become just a little more difficult – or at least, more sophisticated.

So some fraudsters figure it’s easier to go after the weakest link: an employee’s feelings and vulnerability, rather than try to hack their passwords. Think of it as a con game: The con man studies his victim, getting to know her, and then persuades her to do something that she wouldn’t otherwise do, because the victim thinks she’s protecting herself or her company. Criminals are trying to manipulate employees into providing necessary passwords or bank information – or provide access to their computer to install malware that will take over and block the entire company from using their computer until their ransom is paid (this ploy uses ransomware; read more on Arrowhead’s cyber attacks blogpost).

What are some common social engineering ploys?

It could be anything from being tricked into thinking your computer has been infected with malware (a computer virus) or you’ve accidentally downloaded illegal content – then the con man offers you a solution to instantly fix the bogus problem. But the “fix” actually downloads the malware so hackers can gain access.

Or it could be something as simple as the bad guy leaving a USB thumb drive where you’re sure to find it. You load it onto your computer so that you can figure out who it belongs to, and instantly, you’ve installed malware.

Probably the most common scheme is hacking into someone’s email and then sending out a mass email to their contacts asking them to open a link that promises to be just too good to pass up. They may even leave messages on all their social pages as well, with that message “Hey you guys, check this out <link>. Can you believe it?” Curious friends click on the link because, hey, it came from their buddy, and voila! their computer is infected as well, and emails go out to their friends, and so on and so forth. You can read more examples of social engineering and other cyber fraud here.

One newer scheme is nicknamed “dire wolf” after the famous Game of Thrones HBO series, reports RiskAndInsurance.com. Here’s how it works: an employee unknowingly downloads malware from an attachment (disguised in a PDF or a link to a video). The malware sits dormant until it detects someone in your computer system navigating to a bank website. It launches a fake pop-up telling the employee that the bank website is having issues, so please call this number for banking help.

The kindly operator asks for all your log-in credentials in order to “help” you – but in actuality, that information is quickly used to access your bank account and instruct a large wire transfer.

Another scam called “speartexting” targets someone in your financial department via an email supposedly sent by the CFO, CEO or senior executive, telling them that your company is involved in a highly confidential acquisition and their help is needed to complete a wire transfer. The criminals have already hacked that CEO’s or CFO’s email and read enough of their emails to mimic their tone and writing style, so that the employee is convinced it’s legit. They use language to flatter the intended victim, assuring them they’re now part of the inner circle. The employee jumps to obey…and you know what happens next.

One last example is called “tailgating,” when the hacker, lacking proper authentication, physically follows an employee into a restricted area. The hacker may impersonate a delivery driver, asking an employee to hold a door open for him. Often it’s easy for a hacker to simply strike up a conversation with an employee who swipes his card and then allows the hacker inside. Once inside, the hacker can access the wireless network and gain entry to a multitude of systems. One good hacker (a security consultant) used this tactic to gain access to several floors plus a data room. He even based himself in a meeting room on company premises for several days, reports a Tripwire blogpost on social engineering attacks.

Oftentimes companies are reluctant to bring in law enforcement, because they don’t want the negative publicity. This only perpetuates the problem, because hackers continue to get away with their schemes, say cyber fraud experts.